Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Required Permissions
Generate and Manage Tenant Secrets
Set Up Field-Level Encryption
Encrypt Files
Encrypt Data in Chatter
Encrypt Data Cloud with Customer-Managed Root Keys
Encrypt Search Index Files with a Tenant Secret
Encrypt Search Index Files with a Root Key
Encrypt CRM Analytics Data
Encrypt Event Bus Data
Fix Blockers
Stop Encryption
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Encrypt Data Cloud with Customer-Managed Root Keys

By default, all data in Data Cloud is encrypted at rest in AWS by an AWS-managed data encryption key (DEK). With Platform Encryption for Data Cloud, you can generate a Data Cloud root key in Salesforce. Your Data Cloud root keys are specific to your org and secure the DEKs that encrypt and decrypt your data. In this way, you control the chain of keys that encrypt your data. Generate your Data Cloud root key from Salesforce Setup.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available as an add-on subscription in: Enterprise, Performance, Unlimited, and Developer Editions. Requires purchasing Salesforce Shield or Shield Platform Encryption, and Platform Encryption for Data Cloud.

User Permissions Needed
To generate, destroy, export, import, upload, and configure key material: Manage Encryption Keys
To view and edit Setup: View Setup and Configuration

You can generate root keys that encrypt Data Cloud data in both production and sandbox environments.

  1. From Setup, in the Quick Find box, enter Encryption Settings, and then select Encryption Settings.
  2. Turn on Manage Data Cloud Keys.
    Salesforce generates a root key for you. When it’s ready, you can see it on the Key Management page under the Data Cloud tab.
  3. Optionally, you can edit the description on your root for easier key identification and auditing.
    1. From Setup, in the Quick Find box, enter Encryption Settings, and then select Key Management.
    2. In the Root Key Inventory section under the Data Cloud tab, click Details.
    3. Click Edit Description.
    4. Add a unique description, and then save your work.

The latest root key is your active root key. The active root key is used to secure your data encryption keys in AWS, which are used for encrypt and decrypt operations. You can rotate your Salesforce root key for Data Cloud every 3 months. DEKs are generated in AWS as needed.

Your initial DEK is immediately used to encrypt new data in Data Cloud, including search indexes. Salesforce also applies your DEK to existing data, which can take some time if you have a large amount of data in Data Cloud. Check the status of this process on the Data Cloud card on the Encryption Statistics page in Setup.

Root keys don’t control the data encryption keys used to encrypt unstructured data flows in Data Cloud.

Root keys are compatible with Data Cloud’s Sub-Second Real-Time feature. When you enable Sub-Second Real-Time in an org with an active Salesforce root key for Data Cloud, the feature can take up to 24 hours to start using that root key.

For Sub-Second Real-Time customers who require customer-managed keys (CMK) encryption in Data Cloud, Salesforce uses tenant level isolation for storing encrypted keys for unified profiles. This isolation ensures that each tenant's data is encrypted with its own keys.

Note